1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2000-2001 Qualcomm Incorporated 4 Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org> 5 Copyright (C) 2010 Google Inc. 6 Copyright (C) 2011 ProFUSION Embedded Systems 7 8 Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com> 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License version 2 as 12 published by the Free Software Foundation; 13 14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 25 SOFTWARE IS DISCLAIMED. 26 */ 27 28 /* Bluetooth L2CAP sockets. */ 29 30 #include <linux/module.h> 31 #include <linux/export.h> 32 #include <linux/filter.h> 33 #include <linux/sched/signal.h> 34 35 #include <net/bluetooth/bluetooth.h> 36 #include <net/bluetooth/hci_core.h> 37 #include <net/bluetooth/l2cap.h> 38 39 #include "smp.h" 40 41 static struct bt_sock_list l2cap_sk_list = { 42 .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock) 43 }; 44 45 static const struct proto_ops l2cap_sock_ops; 46 static void l2cap_sock_init(struct sock *sk, struct sock *parent); 47 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 48 int proto, gfp_t prio, int kern); 49 static void l2cap_sock_cleanup_listen(struct sock *parent); 50 51 bool l2cap_is_socket(struct socket *sock) 52 { 53 return sock && sock->ops == &l2cap_sock_ops; 54 } 55 EXPORT_SYMBOL(l2cap_is_socket); 56 57 static int l2cap_validate_bredr_psm(u16 psm) 58 { 59 /* PSM must be odd and lsb of upper byte must be 0 */ 60 if ((psm & 0x0101) != 0x0001) 61 return -EINVAL; 62 63 /* Restrict usage of well-known PSMs */ 64 if (psm < L2CAP_PSM_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 65 return -EACCES; 66 67 return 0; 68 } 69 70 static int l2cap_validate_le_psm(u16 psm) 71 { 72 /* Valid LE_PSM ranges are defined only until 0x00ff */ 73 if (psm > L2CAP_PSM_LE_DYN_END) 74 return -EINVAL; 75 76 /* Restrict fixed, SIG assigned PSM values to CAP_NET_BIND_SERVICE */ 77 if (psm < L2CAP_PSM_LE_DYN_START && !capable(CAP_NET_BIND_SERVICE)) 78 return -EACCES; 79 80 return 0; 81 } 82 83 static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 84 { 85 struct sock *sk = sock->sk; 86 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 87 struct sockaddr_l2 la; 88 int len, err = 0; 89 90 BT_DBG("sk %p", sk); 91 92 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 93 addr->sa_family != AF_BLUETOOTH) 94 return -EINVAL; 95 96 memset(&la, 0, sizeof(la)); 97 len = min_t(unsigned int, sizeof(la), alen); 98 memcpy(&la, addr, len); 99 100 if (la.l2_cid && la.l2_psm) 101 return -EINVAL; 102 103 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 104 return -EINVAL; 105 106 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 107 /* We only allow ATT user space socket */ 108 if (la.l2_cid && 109 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 110 return -EINVAL; 111 } 112 113 lock_sock(sk); 114 115 if (sk->sk_state != BT_OPEN) { 116 err = -EBADFD; 117 goto done; 118 } 119 120 if (la.l2_psm) { 121 __u16 psm = __le16_to_cpu(la.l2_psm); 122 123 if (la.l2_bdaddr_type == BDADDR_BREDR) 124 err = l2cap_validate_bredr_psm(psm); 125 else 126 err = l2cap_validate_le_psm(psm); 127 128 if (err) 129 goto done; 130 } 131 132 bacpy(&chan->src, &la.l2_bdaddr); 133 chan->src_type = la.l2_bdaddr_type; 134 135 if (la.l2_cid) 136 err = l2cap_add_scid(chan, __le16_to_cpu(la.l2_cid)); 137 else 138 err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm); 139 140 if (err < 0) 141 goto done; 142 143 switch (chan->chan_type) { 144 case L2CAP_CHAN_CONN_LESS: 145 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_3DSP) 146 chan->sec_level = BT_SECURITY_SDP; 147 break; 148 case L2CAP_CHAN_CONN_ORIENTED: 149 if (__le16_to_cpu(la.l2_psm) == L2CAP_PSM_SDP || 150 __le16_to_cpu(la.l2_psm) == L2CAP_PSM_RFCOMM) 151 chan->sec_level = BT_SECURITY_SDP; 152 break; 153 case L2CAP_CHAN_RAW: 154 chan->sec_level = BT_SECURITY_SDP; 155 break; 156 case L2CAP_CHAN_FIXED: 157 /* Fixed channels default to the L2CAP core not holding a 158 * hci_conn reference for them. For fixed channels mapping to 159 * L2CAP sockets we do want to hold a reference so set the 160 * appropriate flag to request it. 161 */ 162 set_bit(FLAG_HOLD_HCI_CONN, &chan->flags); 163 break; 164 } 165 166 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 167 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 168 */ 169 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 170 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 171 chan->mode = L2CAP_MODE_LE_FLOWCTL; 172 173 chan->state = BT_BOUND; 174 sk->sk_state = BT_BOUND; 175 176 done: 177 release_sock(sk); 178 return err; 179 } 180 181 static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, 182 int alen, int flags) 183 { 184 struct sock *sk = sock->sk; 185 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 186 struct sockaddr_l2 la; 187 int len, err = 0; 188 bool zapped; 189 190 BT_DBG("sk %p", sk); 191 192 lock_sock(sk); 193 zapped = sock_flag(sk, SOCK_ZAPPED); 194 release_sock(sk); 195 196 if (zapped) 197 return -EINVAL; 198 199 if (!addr || alen < offsetofend(struct sockaddr, sa_family) || 200 addr->sa_family != AF_BLUETOOTH) 201 return -EINVAL; 202 203 memset(&la, 0, sizeof(la)); 204 len = min_t(unsigned int, sizeof(la), alen); 205 memcpy(&la, addr, len); 206 207 if (la.l2_cid && la.l2_psm) 208 return -EINVAL; 209 210 if (!bdaddr_type_is_valid(la.l2_bdaddr_type)) 211 return -EINVAL; 212 213 /* Check that the socket wasn't bound to something that 214 * conflicts with the address given to connect(). If chan->src 215 * is BDADDR_ANY it means bind() was never used, in which case 216 * chan->src_type and la.l2_bdaddr_type do not need to match. 217 */ 218 if (chan->src_type == BDADDR_BREDR && bacmp(&chan->src, BDADDR_ANY) && 219 bdaddr_type_is_le(la.l2_bdaddr_type)) { 220 /* Old user space versions will try to incorrectly bind 221 * the ATT socket using BDADDR_BREDR. We need to accept 222 * this and fix up the source address type only when 223 * both the source CID and destination CID indicate 224 * ATT. Anything else is an invalid combination. 225 */ 226 if (chan->scid != L2CAP_CID_ATT || 227 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 228 return -EINVAL; 229 230 /* We don't have the hdev available here to make a 231 * better decision on random vs public, but since all 232 * user space versions that exhibit this issue anyway do 233 * not support random local addresses assuming public 234 * here is good enough. 235 */ 236 chan->src_type = BDADDR_LE_PUBLIC; 237 } 238 239 if (chan->src_type != BDADDR_BREDR && la.l2_bdaddr_type == BDADDR_BREDR) 240 return -EINVAL; 241 242 if (bdaddr_type_is_le(la.l2_bdaddr_type)) { 243 /* We only allow ATT user space socket */ 244 if (la.l2_cid && 245 la.l2_cid != cpu_to_le16(L2CAP_CID_ATT)) 246 return -EINVAL; 247 } 248 249 /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and 250 * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set. 251 */ 252 if (chan->psm && bdaddr_type_is_le(chan->src_type) && 253 chan->mode != L2CAP_MODE_EXT_FLOWCTL) 254 chan->mode = L2CAP_MODE_LE_FLOWCTL; 255 256 err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid), 257 &la.l2_bdaddr, la.l2_bdaddr_type); 258 if (err) 259 return err; 260 261 lock_sock(sk); 262 263 err = bt_sock_wait_state(sk, BT_CONNECTED, 264 sock_sndtimeo(sk, flags & O_NONBLOCK)); 265 266 release_sock(sk); 267 268 return err; 269 } 270 271 static int l2cap_sock_listen(struct socket *sock, int backlog) 272 { 273 struct sock *sk = sock->sk; 274 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 275 int err = 0; 276 277 BT_DBG("sk %p backlog %d", sk, backlog); 278 279 lock_sock(sk); 280 281 if (sk->sk_state != BT_BOUND) { 282 err = -EBADFD; 283 goto done; 284 } 285 286 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM) { 287 err = -EINVAL; 288 goto done; 289 } 290 291 switch (chan->mode) { 292 case L2CAP_MODE_BASIC: 293 case L2CAP_MODE_LE_FLOWCTL: 294 break; 295 case L2CAP_MODE_EXT_FLOWCTL: 296 if (!enable_ecred) { 297 err = -EOPNOTSUPP; 298 goto done; 299 } 300 break; 301 case L2CAP_MODE_ERTM: 302 case L2CAP_MODE_STREAMING: 303 if (!disable_ertm) 304 break; 305 fallthrough; 306 default: 307 err = -EOPNOTSUPP; 308 goto done; 309 } 310 311 sk->sk_max_ack_backlog = backlog; 312 sk->sk_ack_backlog = 0; 313 314 /* Listening channels need to use nested locking in order not to 315 * cause lockdep warnings when the created child channels end up 316 * being locked in the same thread as the parent channel. 317 */ 318 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 319 320 chan->state = BT_LISTEN; 321 sk->sk_state = BT_LISTEN; 322 323 done: 324 release_sock(sk); 325 return err; 326 } 327 328 static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, 329 int flags, bool kern) 330 { 331 DEFINE_WAIT_FUNC(wait, woken_wake_function); 332 struct sock *sk = sock->sk, *nsk; 333 long timeo; 334 int err = 0; 335 336 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 337 338 timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK); 339 340 BT_DBG("sk %p timeo %ld", sk, timeo); 341 342 /* Wait for an incoming connection. (wake-one). */ 343 add_wait_queue_exclusive(sk_sleep(sk), &wait); 344 while (1) { 345 if (sk->sk_state != BT_LISTEN) { 346 err = -EBADFD; 347 break; 348 } 349 350 nsk = bt_accept_dequeue(sk, newsock); 351 if (nsk) 352 break; 353 354 if (!timeo) { 355 err = -EAGAIN; 356 break; 357 } 358 359 if (signal_pending(current)) { 360 err = sock_intr_errno(timeo); 361 break; 362 } 363 364 release_sock(sk); 365 366 timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo); 367 368 lock_sock_nested(sk, L2CAP_NESTING_PARENT); 369 } 370 remove_wait_queue(sk_sleep(sk), &wait); 371 372 if (err) 373 goto done; 374 375 newsock->state = SS_CONNECTED; 376 377 BT_DBG("new socket %p", nsk); 378 379 done: 380 release_sock(sk); 381 return err; 382 } 383 384 static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, 385 int peer) 386 { 387 struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr; 388 struct sock *sk = sock->sk; 389 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 390 391 BT_DBG("sock %p, sk %p", sock, sk); 392 393 if (peer && sk->sk_state != BT_CONNECTED && 394 sk->sk_state != BT_CONNECT && sk->sk_state != BT_CONNECT2 && 395 sk->sk_state != BT_CONFIG) 396 return -ENOTCONN; 397 398 memset(la, 0, sizeof(struct sockaddr_l2)); 399 addr->sa_family = AF_BLUETOOTH; 400 401 la->l2_psm = chan->psm; 402 403 if (peer) { 404 bacpy(&la->l2_bdaddr, &chan->dst); 405 la->l2_cid = cpu_to_le16(chan->dcid); 406 la->l2_bdaddr_type = chan->dst_type; 407 } else { 408 bacpy(&la->l2_bdaddr, &chan->src); 409 la->l2_cid = cpu_to_le16(chan->scid); 410 la->l2_bdaddr_type = chan->src_type; 411 } 412 413 return sizeof(struct sockaddr_l2); 414 } 415 416 static int l2cap_get_mode(struct l2cap_chan *chan) 417 { 418 switch (chan->mode) { 419 case L2CAP_MODE_BASIC: 420 return BT_MODE_BASIC; 421 case L2CAP_MODE_ERTM: 422 return BT_MODE_ERTM; 423 case L2CAP_MODE_STREAMING: 424 return BT_MODE_STREAMING; 425 case L2CAP_MODE_LE_FLOWCTL: 426 return BT_MODE_LE_FLOWCTL; 427 case L2CAP_MODE_EXT_FLOWCTL: 428 return BT_MODE_EXT_FLOWCTL; 429 } 430 431 return -EINVAL; 432 } 433 434 static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, 435 char __user *optval, int __user *optlen) 436 { 437 struct sock *sk = sock->sk; 438 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 439 struct l2cap_options opts; 440 struct l2cap_conninfo cinfo; 441 int err = 0; 442 size_t len; 443 u32 opt; 444 445 BT_DBG("sk %p", sk); 446 447 if (get_user(len, optlen)) 448 return -EFAULT; 449 450 lock_sock(sk); 451 452 switch (optname) { 453 case L2CAP_OPTIONS: 454 /* LE sockets should use BT_SNDMTU/BT_RCVMTU, but since 455 * legacy ATT code depends on getsockopt for 456 * L2CAP_OPTIONS we need to let this pass. 457 */ 458 if (bdaddr_type_is_le(chan->src_type) && 459 chan->scid != L2CAP_CID_ATT) { 460 err = -EINVAL; 461 break; 462 } 463 464 /* Only BR/EDR modes are supported here */ 465 switch (chan->mode) { 466 case L2CAP_MODE_BASIC: 467 case L2CAP_MODE_ERTM: 468 case L2CAP_MODE_STREAMING: 469 break; 470 default: 471 err = -EINVAL; 472 break; 473 } 474 475 if (err < 0) 476 break; 477 478 memset(&opts, 0, sizeof(opts)); 479 opts.imtu = chan->imtu; 480 opts.omtu = chan->omtu; 481 opts.flush_to = chan->flush_to; 482 opts.mode = chan->mode; 483 opts.fcs = chan->fcs; 484 opts.max_tx = chan->max_tx; 485 opts.txwin_size = chan->tx_win; 486 487 BT_DBG("mode 0x%2.2x", chan->mode); 488 489 len = min(len, sizeof(opts)); 490 if (copy_to_user(optval, (char *) &opts, len)) 491 err = -EFAULT; 492 493 break; 494 495 case L2CAP_LM: 496 switch (chan->sec_level) { 497 case BT_SECURITY_LOW: 498 opt = L2CAP_LM_AUTH; 499 break; 500 case BT_SECURITY_MEDIUM: 501 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT; 502 break; 503 case BT_SECURITY_HIGH: 504 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 505 L2CAP_LM_SECURE; 506 break; 507 case BT_SECURITY_FIPS: 508 opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT | 509 L2CAP_LM_SECURE | L2CAP_LM_FIPS; 510 break; 511 default: 512 opt = 0; 513 break; 514 } 515 516 if (test_bit(FLAG_ROLE_SWITCH, &chan->flags)) 517 opt |= L2CAP_LM_MASTER; 518 519 if (test_bit(FLAG_FORCE_RELIABLE, &chan->flags)) 520 opt |= L2CAP_LM_RELIABLE; 521 522 if (put_user(opt, (u32 __user *) optval)) 523 err = -EFAULT; 524 525 break; 526 527 case L2CAP_CONNINFO: 528 if (sk->sk_state != BT_CONNECTED && 529 !(sk->sk_state == BT_CONNECT2 && 530 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags))) { 531 err = -ENOTCONN; 532 break; 533 } 534 535 memset(&cinfo, 0, sizeof(cinfo)); 536 cinfo.hci_handle = chan->conn->hcon->handle; 537 memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3); 538 539 len = min(len, sizeof(cinfo)); 540 if (copy_to_user(optval, (char *) &cinfo, len)) 541 err = -EFAULT; 542 543 break; 544 545 default: 546 err = -ENOPROTOOPT; 547 break; 548 } 549 550 release_sock(sk); 551 return err; 552 } 553 554 static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, 555 char __user *optval, int __user *optlen) 556 { 557 struct sock *sk = sock->sk; 558 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 559 struct bt_security sec; 560 struct bt_power pwr; 561 u32 phys; 562 int len, mode, err = 0; 563 564 BT_DBG("sk %p", sk); 565 566 if (level == SOL_L2CAP) 567 return l2cap_sock_getsockopt_old(sock, optname, optval, optlen); 568 569 if (level != SOL_BLUETOOTH) 570 return -ENOPROTOOPT; 571 572 if (get_user(len, optlen)) 573 return -EFAULT; 574 575 lock_sock(sk); 576 577 switch (optname) { 578 case BT_SECURITY: 579 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 580 chan->chan_type != L2CAP_CHAN_FIXED && 581 chan->chan_type != L2CAP_CHAN_RAW) { 582 err = -EINVAL; 583 break; 584 } 585 586 memset(&sec, 0, sizeof(sec)); 587 if (chan->conn) { 588 sec.level = chan->conn->hcon->sec_level; 589 590 if (sk->sk_state == BT_CONNECTED) 591 sec.key_size = chan->conn->hcon->enc_key_size; 592 } else { 593 sec.level = chan->sec_level; 594 } 595 596 len = min_t(unsigned int, len, sizeof(sec)); 597 if (copy_to_user(optval, (char *) &sec, len)) 598 err = -EFAULT; 599 600 break; 601 602 case BT_DEFER_SETUP: 603 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 604 err = -EINVAL; 605 break; 606 } 607 608 if (put_user(test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags), 609 (u32 __user *) optval)) 610 err = -EFAULT; 611 612 break; 613 614 case BT_FLUSHABLE: 615 if (put_user(test_bit(FLAG_FLUSHABLE, &chan->flags), 616 (u32 __user *) optval)) 617 err = -EFAULT; 618 619 break; 620 621 case BT_POWER: 622 if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM 623 && sk->sk_type != SOCK_RAW) { 624 err = -EINVAL; 625 break; 626 } 627 628 pwr.force_active = test_bit(FLAG_FORCE_ACTIVE, &chan->flags); 629 630 len = min_t(unsigned int, len, sizeof(pwr)); 631 if (copy_to_user(optval, (char *) &pwr, len)) 632 err = -EFAULT; 633 634 break; 635 636 case BT_CHANNEL_POLICY: 637 if (put_user(chan->chan_policy, (u32 __user *) optval)) 638 err = -EFAULT; 639 break; 640 641 case BT_SNDMTU: 642 if (!bdaddr_type_is_le(chan->src_type)) { 643 err = -EINVAL; 644 break; 645 } 646 647 if (sk->sk_state != BT_CONNECTED) { 648 err = -ENOTCONN; 649 break; 650 } 651 652 if (put_user(chan->omtu, (u16 __user *) optval)) 653 err = -EFAULT; 654 break; 655 656 case BT_RCVMTU: 657 if (!bdaddr_type_is_le(chan->src_type)) { 658 err = -EINVAL; 659 break; 660 } 661 662 if (put_user(chan->imtu, (u16 __user *) optval)) 663 err = -EFAULT; 664 break; 665 666 case BT_PHY: 667 if (sk->sk_state != BT_CONNECTED) { 668 err = -ENOTCONN; 669 break; 670 } 671 672 phys = hci_conn_get_phy(chan->conn->hcon); 673 674 if (put_user(phys, (u32 __user *) optval)) 675 err = -EFAULT; 676 break; 677 678 case BT_MODE: 679 if (!enable_ecred) { 680 err = -ENOPROTOOPT; 681 break; 682 } 683 684 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 685 err = -EINVAL; 686 break; 687 } 688 689 mode = l2cap_get_mode(chan); 690 if (mode < 0) { 691 err = mode; 692 break; 693 } 694 695 if (put_user(mode, (u8 __user *) optval)) 696 err = -EFAULT; 697 break; 698 699 default: 700 err = -ENOPROTOOPT; 701 break; 702 } 703 704 release_sock(sk); 705 return err; 706 } 707 708 static bool l2cap_valid_mtu(struct l2cap_chan *chan, u16 mtu) 709 { 710 switch (chan->scid) { 711 case L2CAP_CID_ATT: 712 if (mtu < L2CAP_LE_MIN_MTU) 713 return false; 714 break; 715 716 default: 717 if (mtu < L2CAP_DEFAULT_MIN_MTU) 718 return false; 719 } 720 721 return true; 722 } 723 724 static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, 725 sockptr_t optval, unsigned int optlen) 726 { 727 struct sock *sk = sock->sk; 728 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 729 struct l2cap_options opts; 730 int len, err = 0; 731 u32 opt; 732 733 BT_DBG("sk %p", sk); 734 735 lock_sock(sk); 736 737 switch (optname) { 738 case L2CAP_OPTIONS: 739 if (bdaddr_type_is_le(chan->src_type)) { 740 err = -EINVAL; 741 break; 742 } 743 744 if (sk->sk_state == BT_CONNECTED) { 745 err = -EINVAL; 746 break; 747 } 748 749 opts.imtu = chan->imtu; 750 opts.omtu = chan->omtu; 751 opts.flush_to = chan->flush_to; 752 opts.mode = chan->mode; 753 opts.fcs = chan->fcs; 754 opts.max_tx = chan->max_tx; 755 opts.txwin_size = chan->tx_win; 756 757 len = min_t(unsigned int, sizeof(opts), optlen); 758 if (copy_from_sockptr(&opts, optval, len)) { 759 err = -EFAULT; 760 break; 761 } 762 763 if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) { 764 err = -EINVAL; 765 break; 766 } 767 768 if (!l2cap_valid_mtu(chan, opts.imtu)) { 769 err = -EINVAL; 770 break; 771 } 772 773 /* Only BR/EDR modes are supported here */ 774 switch (opts.mode) { 775 case L2CAP_MODE_BASIC: 776 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 777 break; 778 case L2CAP_MODE_ERTM: 779 case L2CAP_MODE_STREAMING: 780 if (!disable_ertm) 781 break; 782 fallthrough; 783 default: 784 err = -EINVAL; 785 break; 786 } 787 788 if (err < 0) 789 break; 790 791 chan->mode = opts.mode; 792 793 BT_DBG("mode 0x%2.2x", chan->mode); 794 795 chan->imtu = opts.imtu; 796 chan->omtu = opts.omtu; 797 chan->fcs = opts.fcs; 798 chan->max_tx = opts.max_tx; 799 chan->tx_win = opts.txwin_size; 800 chan->flush_to = opts.flush_to; 801 break; 802 803 case L2CAP_LM: 804 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 805 err = -EFAULT; 806 break; 807 } 808 809 if (opt & L2CAP_LM_FIPS) { 810 err = -EINVAL; 811 break; 812 } 813 814 if (opt & L2CAP_LM_AUTH) 815 chan->sec_level = BT_SECURITY_LOW; 816 if (opt & L2CAP_LM_ENCRYPT) 817 chan->sec_level = BT_SECURITY_MEDIUM; 818 if (opt & L2CAP_LM_SECURE) 819 chan->sec_level = BT_SECURITY_HIGH; 820 821 if (opt & L2CAP_LM_MASTER) 822 set_bit(FLAG_ROLE_SWITCH, &chan->flags); 823 else 824 clear_bit(FLAG_ROLE_SWITCH, &chan->flags); 825 826 if (opt & L2CAP_LM_RELIABLE) 827 set_bit(FLAG_FORCE_RELIABLE, &chan->flags); 828 else 829 clear_bit(FLAG_FORCE_RELIABLE, &chan->flags); 830 break; 831 832 default: 833 err = -ENOPROTOOPT; 834 break; 835 } 836 837 release_sock(sk); 838 return err; 839 } 840 841 static int l2cap_set_mode(struct l2cap_chan *chan, u8 mode) 842 { 843 switch (mode) { 844 case BT_MODE_BASIC: 845 if (bdaddr_type_is_le(chan->src_type)) 846 return -EINVAL; 847 mode = L2CAP_MODE_BASIC; 848 clear_bit(CONF_STATE2_DEVICE, &chan->conf_state); 849 break; 850 case BT_MODE_ERTM: 851 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 852 return -EINVAL; 853 mode = L2CAP_MODE_ERTM; 854 break; 855 case BT_MODE_STREAMING: 856 if (!disable_ertm || bdaddr_type_is_le(chan->src_type)) 857 return -EINVAL; 858 mode = L2CAP_MODE_STREAMING; 859 break; 860 case BT_MODE_LE_FLOWCTL: 861 if (!bdaddr_type_is_le(chan->src_type)) 862 return -EINVAL; 863 mode = L2CAP_MODE_LE_FLOWCTL; 864 break; 865 case BT_MODE_EXT_FLOWCTL: 866 /* TODO: Add support for ECRED PDUs to BR/EDR */ 867 if (!bdaddr_type_is_le(chan->src_type)) 868 return -EINVAL; 869 mode = L2CAP_MODE_EXT_FLOWCTL; 870 break; 871 default: 872 return -EINVAL; 873 } 874 875 chan->mode = mode; 876 877 return 0; 878 } 879 880 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, 881 sockptr_t optval, unsigned int optlen) 882 { 883 struct sock *sk = sock->sk; 884 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 885 struct bt_security sec; 886 struct bt_power pwr; 887 struct l2cap_conn *conn; 888 int len, err = 0; 889 u32 opt; 890 u16 mtu; 891 u8 mode; 892 893 BT_DBG("sk %p", sk); 894 895 if (level == SOL_L2CAP) 896 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen); 897 898 if (level != SOL_BLUETOOTH) 899 return -ENOPROTOOPT; 900 901 lock_sock(sk); 902 903 switch (optname) { 904 case BT_SECURITY: 905 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 906 chan->chan_type != L2CAP_CHAN_FIXED && 907 chan->chan_type != L2CAP_CHAN_RAW) { 908 err = -EINVAL; 909 break; 910 } 911 912 sec.level = BT_SECURITY_LOW; 913 914 len = min_t(unsigned int, sizeof(sec), optlen); 915 if (copy_from_sockptr(&sec, optval, len)) { 916 err = -EFAULT; 917 break; 918 } 919 920 if (sec.level < BT_SECURITY_LOW || 921 sec.level > BT_SECURITY_FIPS) { 922 err = -EINVAL; 923 break; 924 } 925 926 chan->sec_level = sec.level; 927 928 if (!chan->conn) 929 break; 930 931 conn = chan->conn; 932 933 /* change security for LE channels */ 934 if (chan->scid == L2CAP_CID_ATT) { 935 if (smp_conn_security(conn->hcon, sec.level)) { 936 err = -EINVAL; 937 break; 938 } 939 940 set_bit(FLAG_PENDING_SECURITY, &chan->flags); 941 sk->sk_state = BT_CONFIG; 942 chan->state = BT_CONFIG; 943 944 /* or for ACL link */ 945 } else if ((sk->sk_state == BT_CONNECT2 && 946 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) || 947 sk->sk_state == BT_CONNECTED) { 948 if (!l2cap_chan_check_security(chan, true)) 949 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 950 else 951 sk->sk_state_change(sk); 952 } else { 953 err = -EINVAL; 954 } 955 break; 956 957 case BT_DEFER_SETUP: 958 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) { 959 err = -EINVAL; 960 break; 961 } 962 963 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 964 err = -EFAULT; 965 break; 966 } 967 968 if (opt) { 969 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 970 set_bit(FLAG_DEFER_SETUP, &chan->flags); 971 } else { 972 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); 973 clear_bit(FLAG_DEFER_SETUP, &chan->flags); 974 } 975 break; 976 977 case BT_FLUSHABLE: 978 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 979 err = -EFAULT; 980 break; 981 } 982 983 if (opt > BT_FLUSHABLE_ON) { 984 err = -EINVAL; 985 break; 986 } 987 988 if (opt == BT_FLUSHABLE_OFF) { 989 conn = chan->conn; 990 /* proceed further only when we have l2cap_conn and 991 No Flush support in the LM */ 992 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) { 993 err = -EINVAL; 994 break; 995 } 996 } 997 998 if (opt) 999 set_bit(FLAG_FLUSHABLE, &chan->flags); 1000 else 1001 clear_bit(FLAG_FLUSHABLE, &chan->flags); 1002 break; 1003 1004 case BT_POWER: 1005 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED && 1006 chan->chan_type != L2CAP_CHAN_RAW) { 1007 err = -EINVAL; 1008 break; 1009 } 1010 1011 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON; 1012 1013 len = min_t(unsigned int, sizeof(pwr), optlen); 1014 if (copy_from_sockptr(&pwr, optval, len)) { 1015 err = -EFAULT; 1016 break; 1017 } 1018 1019 if (pwr.force_active) 1020 set_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1021 else 1022 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags); 1023 break; 1024 1025 case BT_CHANNEL_POLICY: 1026 if (copy_from_sockptr(&opt, optval, sizeof(u32))) { 1027 err = -EFAULT; 1028 break; 1029 } 1030 1031 err = -EOPNOTSUPP; 1032 break; 1033 1034 case BT_SNDMTU: 1035 if (!bdaddr_type_is_le(chan->src_type)) { 1036 err = -EINVAL; 1037 break; 1038 } 1039 1040 /* Setting is not supported as it's the remote side that 1041 * decides this. 1042 */ 1043 err = -EPERM; 1044 break; 1045 1046 case BT_RCVMTU: 1047 if (!bdaddr_type_is_le(chan->src_type)) { 1048 err = -EINVAL; 1049 break; 1050 } 1051 1052 if (chan->mode == L2CAP_MODE_LE_FLOWCTL && 1053 sk->sk_state == BT_CONNECTED) { 1054 err = -EISCONN; 1055 break; 1056 } 1057 1058 if (copy_from_sockptr(&mtu, optval, sizeof(u16))) { 1059 err = -EFAULT; 1060 break; 1061 } 1062 1063 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL && 1064 sk->sk_state == BT_CONNECTED) 1065 err = l2cap_chan_reconfigure(chan, mtu); 1066 else 1067 chan->imtu = mtu; 1068 1069 break; 1070 1071 case BT_MODE: 1072 if (!enable_ecred) { 1073 err = -ENOPROTOOPT; 1074 break; 1075 } 1076 1077 BT_DBG("sk->sk_state %u", sk->sk_state); 1078 1079 if (sk->sk_state != BT_BOUND) { 1080 err = -EINVAL; 1081 break; 1082 } 1083 1084 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) { 1085 err = -EINVAL; 1086 break; 1087 } 1088 1089 if (copy_from_sockptr(&mode, optval, sizeof(u8))) { 1090 err = -EFAULT; 1091 break; 1092 } 1093 1094 BT_DBG("mode %u", mode); 1095 1096 err = l2cap_set_mode(chan, mode); 1097 if (err) 1098 break; 1099 1100 BT_DBG("mode 0x%2.2x", chan->mode); 1101 1102 break; 1103 1104 default: 1105 err = -ENOPROTOOPT; 1106 break; 1107 } 1108 1109 release_sock(sk); 1110 return err; 1111 } 1112 1113 static int l2cap_sock_sendmsg(struct socket *sock, struct msghdr *msg, 1114 size_t len) 1115 { 1116 struct sock *sk = sock->sk; 1117 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1118 int err; 1119 1120 BT_DBG("sock %p, sk %p", sock, sk); 1121 1122 err = sock_error(sk); 1123 if (err) 1124 return err; 1125 1126 if (msg->msg_flags & MSG_OOB) 1127 return -EOPNOTSUPP; 1128 1129 if (sk->sk_state != BT_CONNECTED) 1130 return -ENOTCONN; 1131 1132 lock_sock(sk); 1133 err = bt_sock_wait_ready(sk, msg->msg_flags); 1134 release_sock(sk); 1135 if (err) 1136 return err; 1137 1138 l2cap_chan_lock(chan); 1139 err = l2cap_chan_send(chan, msg, len); 1140 l2cap_chan_unlock(chan); 1141 1142 return err; 1143 } 1144 1145 static void l2cap_publish_rx_avail(struct l2cap_chan *chan) 1146 { 1147 struct sock *sk = chan->data; 1148 ssize_t avail = sk->sk_rcvbuf - atomic_read(&sk->sk_rmem_alloc); 1149 int expected_skbs, skb_overhead; 1150 1151 if (avail <= 0) { 1152 l2cap_chan_rx_avail(chan, 0); 1153 return; 1154 } 1155 1156 if (!chan->mps) { 1157 l2cap_chan_rx_avail(chan, -1); 1158 return; 1159 } 1160 1161 /* Correct available memory by estimated sk_buff overhead. 1162 * This is significant due to small transfer sizes. However, accept 1163 * at least one full packet if receive space is non-zero. 1164 */ 1165 expected_skbs = DIV_ROUND_UP(avail, chan->mps); 1166 skb_overhead = expected_skbs * sizeof(struct sk_buff); 1167 if (skb_overhead < avail) 1168 l2cap_chan_rx_avail(chan, avail - skb_overhead); 1169 else 1170 l2cap_chan_rx_avail(chan, -1); 1171 } 1172 1173 static int l2cap_sock_recvmsg(struct socket *sock, struct msghdr *msg, 1174 size_t len, int flags) 1175 { 1176 struct sock *sk = sock->sk; 1177 struct l2cap_pinfo *pi = l2cap_pi(sk); 1178 int err; 1179 1180 lock_sock(sk); 1181 1182 if (sk->sk_state == BT_CONNECT2 && test_bit(BT_SK_DEFER_SETUP, 1183 &bt_sk(sk)->flags)) { 1184 if (pi->chan->mode == L2CAP_MODE_EXT_FLOWCTL) { 1185 sk->sk_state = BT_CONNECTED; 1186 pi->chan->state = BT_CONNECTED; 1187 __l2cap_ecred_conn_rsp_defer(pi->chan); 1188 } else if (bdaddr_type_is_le(pi->chan->src_type)) { 1189 sk->sk_state = BT_CONNECTED; 1190 pi->chan->state = BT_CONNECTED; 1191 __l2cap_le_connect_rsp_defer(pi->chan); 1192 } else { 1193 sk->sk_state = BT_CONFIG; 1194 pi->chan->state = BT_CONFIG; 1195 __l2cap_connect_rsp_defer(pi->chan); 1196 } 1197 1198 err = 0; 1199 goto done; 1200 } 1201 1202 release_sock(sk); 1203 1204 if (sock->type == SOCK_STREAM) 1205 err = bt_sock_stream_recvmsg(sock, msg, len, flags); 1206 else 1207 err = bt_sock_recvmsg(sock, msg, len, flags); 1208 1209 if (pi->chan->mode != L2CAP_MODE_ERTM && 1210 pi->chan->mode != L2CAP_MODE_LE_FLOWCTL && 1211 pi->chan->mode != L2CAP_MODE_EXT_FLOWCTL) 1212 return err; 1213 1214 lock_sock(sk); 1215 1216 l2cap_publish_rx_avail(pi->chan); 1217 1218 /* Attempt to put pending rx data in the socket buffer */ 1219 while (!list_empty(&pi->rx_busy)) { 1220 struct l2cap_rx_busy *rx_busy = 1221 list_first_entry(&pi->rx_busy, 1222 struct l2cap_rx_busy, 1223 list); 1224 if (__sock_queue_rcv_skb(sk, rx_busy->skb) < 0) 1225 goto done; 1226 list_del(&rx_busy->list); 1227 kfree(rx_busy); 1228 } 1229 1230 /* Restore data flow when half of the receive buffer is 1231 * available. This avoids resending large numbers of 1232 * frames. 1233 */ 1234 if (test_bit(CONN_LOCAL_BUSY, &pi->chan->conn_state) && 1235 atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf >> 1) 1236 l2cap_chan_busy(pi->chan, 0); 1237 1238 done: 1239 release_sock(sk); 1240 return err; 1241 } 1242 1243 /* Kill socket (only if zapped and orphan) 1244 * Must be called on unlocked socket, with l2cap channel lock. 1245 */ 1246 static void l2cap_sock_kill(struct sock *sk) 1247 { 1248 if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) 1249 return; 1250 1251 BT_DBG("sk %p state %s", sk, state_to_string(sk->sk_state)); 1252 1253 /* Sock is dead, so set chan data to NULL, avoid other task use invalid 1254 * sock pointer. 1255 */ 1256 l2cap_pi(sk)->chan->data = NULL; 1257 /* Kill poor orphan */ 1258 1259 l2cap_chan_put(l2cap_pi(sk)->chan); 1260 sock_set_flag(sk, SOCK_DEAD); 1261 sock_put(sk); 1262 } 1263 1264 static int __l2cap_wait_ack(struct sock *sk, struct l2cap_chan *chan) 1265 { 1266 DECLARE_WAITQUEUE(wait, current); 1267 int err = 0; 1268 int timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1269 /* Timeout to prevent infinite loop */ 1270 unsigned long timeout = jiffies + L2CAP_WAIT_ACK_TIMEOUT; 1271 1272 add_wait_queue(sk_sleep(sk), &wait); 1273 set_current_state(TASK_INTERRUPTIBLE); 1274 do { 1275 BT_DBG("Waiting for %d ACKs, timeout %04d ms", 1276 chan->unacked_frames, time_after(jiffies, timeout) ? 0 : 1277 jiffies_to_msecs(timeout - jiffies)); 1278 1279 if (!timeo) 1280 timeo = L2CAP_WAIT_ACK_POLL_PERIOD; 1281 1282 if (signal_pending(current)) { 1283 err = sock_intr_errno(timeo); 1284 break; 1285 } 1286 1287 release_sock(sk); 1288 timeo = schedule_timeout(timeo); 1289 lock_sock(sk); 1290 set_current_state(TASK_INTERRUPTIBLE); 1291 1292 err = sock_error(sk); 1293 if (err) 1294 break; 1295 1296 if (time_after(jiffies, timeout)) { 1297 err = -ENOLINK; 1298 break; 1299 } 1300 1301 } while (chan->unacked_frames > 0 && 1302 chan->state == BT_CONNECTED); 1303 1304 set_current_state(TASK_RUNNING); 1305 remove_wait_queue(sk_sleep(sk), &wait); 1306 return err; 1307 } 1308 1309 static int l2cap_sock_shutdown(struct socket *sock, int how) 1310 { 1311 struct sock *sk = sock->sk; 1312 struct l2cap_chan *chan; 1313 struct l2cap_conn *conn; 1314 int err = 0; 1315 1316 BT_DBG("sock %p, sk %p, how %d", sock, sk, how); 1317 1318 /* 'how' parameter is mapped to sk_shutdown as follows: 1319 * SHUT_RD (0) --> RCV_SHUTDOWN (1) 1320 * SHUT_WR (1) --> SEND_SHUTDOWN (2) 1321 * SHUT_RDWR (2) --> SHUTDOWN_MASK (3) 1322 */ 1323 how++; 1324 1325 if (!sk) 1326 return 0; 1327 1328 lock_sock(sk); 1329 1330 if ((sk->sk_shutdown & how) == how) 1331 goto shutdown_already; 1332 1333 BT_DBG("Handling sock shutdown"); 1334 1335 /* prevent sk structure from being freed whilst unlocked */ 1336 sock_hold(sk); 1337 1338 chan = l2cap_pi(sk)->chan; 1339 /* prevent chan structure from being freed whilst unlocked */ 1340 l2cap_chan_hold(chan); 1341 1342 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1343 1344 if (chan->mode == L2CAP_MODE_ERTM && 1345 chan->unacked_frames > 0 && 1346 chan->state == BT_CONNECTED) { 1347 err = __l2cap_wait_ack(sk, chan); 1348 1349 /* After waiting for ACKs, check whether shutdown 1350 * has already been actioned to close the L2CAP 1351 * link such as by l2cap_disconnection_req(). 1352 */ 1353 if ((sk->sk_shutdown & how) == how) 1354 goto shutdown_matched; 1355 } 1356 1357 /* Try setting the RCV_SHUTDOWN bit, return early if SEND_SHUTDOWN 1358 * is already set 1359 */ 1360 if ((how & RCV_SHUTDOWN) && !(sk->sk_shutdown & RCV_SHUTDOWN)) { 1361 sk->sk_shutdown |= RCV_SHUTDOWN; 1362 if ((sk->sk_shutdown & how) == how) 1363 goto shutdown_matched; 1364 } 1365 1366 sk->sk_shutdown |= SEND_SHUTDOWN; 1367 release_sock(sk); 1368 1369 l2cap_chan_lock(chan); 1370 conn = chan->conn; 1371 if (conn) 1372 /* prevent conn structure from being freed */ 1373 l2cap_conn_get(conn); 1374 l2cap_chan_unlock(chan); 1375 1376 if (conn) 1377 /* mutex lock must be taken before l2cap_chan_lock() */ 1378 mutex_lock(&conn->chan_lock); 1379 1380 l2cap_chan_lock(chan); 1381 l2cap_chan_close(chan, 0); 1382 l2cap_chan_unlock(chan); 1383 1384 if (conn) { 1385 mutex_unlock(&conn->chan_lock); 1386 l2cap_conn_put(conn); 1387 } 1388 1389 lock_sock(sk); 1390 1391 if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && 1392 !(current->flags & PF_EXITING)) 1393 err = bt_sock_wait_state(sk, BT_CLOSED, 1394 sk->sk_lingertime); 1395 1396 shutdown_matched: 1397 l2cap_chan_put(chan); 1398 sock_put(sk); 1399 1400 shutdown_already: 1401 if (!err && sk->sk_err) 1402 err = -sk->sk_err; 1403 1404 release_sock(sk); 1405 1406 BT_DBG("Sock shutdown complete err: %d", err); 1407 1408 return err; 1409 } 1410 1411 static int l2cap_sock_release(struct socket *sock) 1412 { 1413 struct sock *sk = sock->sk; 1414 int err; 1415 struct l2cap_chan *chan; 1416 1417 BT_DBG("sock %p, sk %p", sock, sk); 1418 1419 if (!sk) 1420 return 0; 1421 1422 l2cap_sock_cleanup_listen(sk); 1423 bt_sock_unlink(&l2cap_sk_list, sk); 1424 1425 err = l2cap_sock_shutdown(sock, SHUT_RDWR); 1426 chan = l2cap_pi(sk)->chan; 1427 1428 l2cap_chan_hold(chan); 1429 l2cap_chan_lock(chan); 1430 1431 sock_orphan(sk); 1432 l2cap_sock_kill(sk); 1433 1434 l2cap_chan_unlock(chan); 1435 l2cap_chan_put(chan); 1436 1437 return err; 1438 } 1439 1440 static void l2cap_sock_cleanup_listen(struct sock *parent) 1441 { 1442 struct sock *sk; 1443 1444 BT_DBG("parent %p state %s", parent, 1445 state_to_string(parent->sk_state)); 1446 1447 /* Close not yet accepted channels */ 1448 while ((sk = bt_accept_dequeue(parent, NULL))) { 1449 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1450 1451 BT_DBG("child chan %p state %s", chan, 1452 state_to_string(chan->state)); 1453 1454 l2cap_chan_hold(chan); 1455 l2cap_chan_lock(chan); 1456 1457 __clear_chan_timer(chan); 1458 l2cap_chan_close(chan, ECONNRESET); 1459 l2cap_sock_kill(sk); 1460 1461 l2cap_chan_unlock(chan); 1462 l2cap_chan_put(chan); 1463 } 1464 } 1465 1466 static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan) 1467 { 1468 struct sock *sk, *parent = chan->data; 1469 1470 lock_sock(parent); 1471 1472 /* Check for backlog size */ 1473 if (sk_acceptq_is_full(parent)) { 1474 BT_DBG("backlog full %d", parent->sk_ack_backlog); 1475 release_sock(parent); 1476 return NULL; 1477 } 1478 1479 sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, 1480 GFP_ATOMIC, 0); 1481 if (!sk) { 1482 release_sock(parent); 1483 return NULL; 1484 } 1485 1486 bt_sock_reclassify_lock(sk, BTPROTO_L2CAP); 1487 1488 l2cap_sock_init(sk, parent); 1489 1490 bt_accept_enqueue(parent, sk, false); 1491 1492 release_sock(parent); 1493 1494 return l2cap_pi(sk)->chan; 1495 } 1496 1497 static int l2cap_sock_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 1498 { 1499 struct sock *sk; 1500 struct l2cap_pinfo *pi; 1501 int err; 1502 1503 sk = chan->data; 1504 if (!sk) 1505 return -ENXIO; 1506 1507 pi = l2cap_pi(sk); 1508 lock_sock(sk); 1509 if (chan->mode == L2CAP_MODE_ERTM && !list_empty(&pi->rx_busy)) { 1510 err = -ENOMEM; 1511 goto done; 1512 } 1513 1514 if (chan->mode != L2CAP_MODE_ERTM && 1515 chan->mode != L2CAP_MODE_STREAMING && 1516 chan->mode != L2CAP_MODE_LE_FLOWCTL && 1517 chan->mode != L2CAP_MODE_EXT_FLOWCTL) { 1518 /* Even if no filter is attached, we could potentially 1519 * get errors from security modules, etc. 1520 */ 1521 err = sk_filter(sk, skb); 1522 if (err) 1523 goto done; 1524 } 1525 1526 err = __sock_queue_rcv_skb(sk, skb); 1527 1528 l2cap_publish_rx_avail(chan); 1529 1530 /* For ERTM and LE, handle a skb that doesn't fit into the recv 1531 * buffer. This is important to do because the data frames 1532 * have already been acked, so the skb cannot be discarded. 1533 * 1534 * Notify the l2cap core that the buffer is full, so the 1535 * LOCAL_BUSY state is entered and no more frames are 1536 * acked and reassembled until there is buffer space 1537 * available. 1538 */ 1539 if (err < 0 && 1540 (chan->mode == L2CAP_MODE_ERTM || 1541 chan->mode == L2CAP_MODE_LE_FLOWCTL || 1542 chan->mode == L2CAP_MODE_EXT_FLOWCTL)) { 1543 struct l2cap_rx_busy *rx_busy = 1544 kmalloc(sizeof(*rx_busy), GFP_KERNEL); 1545 if (!rx_busy) { 1546 err = -ENOMEM; 1547 goto done; 1548 } 1549 rx_busy->skb = skb; 1550 list_add_tail(&rx_busy->list, &pi->rx_busy); 1551 l2cap_chan_busy(chan, 1); 1552 err = 0; 1553 } 1554 1555 done: 1556 release_sock(sk); 1557 1558 return err; 1559 } 1560 1561 static void l2cap_sock_close_cb(struct l2cap_chan *chan) 1562 { 1563 struct sock *sk = chan->data; 1564 1565 if (!sk) 1566 return; 1567 1568 l2cap_sock_kill(sk); 1569 } 1570 1571 static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) 1572 { 1573 struct sock *sk = chan->data; 1574 struct sock *parent; 1575 1576 if (!sk) 1577 return; 1578 1579 BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); 1580 1581 /* This callback can be called both for server (BT_LISTEN) 1582 * sockets as well as "normal" ones. To avoid lockdep warnings 1583 * with child socket locking (through l2cap_sock_cleanup_listen) 1584 * we need separation into separate nesting levels. The simplest 1585 * way to accomplish this is to inherit the nesting level used 1586 * for the channel. 1587 */ 1588 lock_sock_nested(sk, atomic_read(&chan->nesting)); 1589 1590 parent = bt_sk(sk)->parent; 1591 1592 switch (chan->state) { 1593 case BT_OPEN: 1594 case BT_BOUND: 1595 case BT_CLOSED: 1596 break; 1597 case BT_LISTEN: 1598 l2cap_sock_cleanup_listen(sk); 1599 sk->sk_state = BT_CLOSED; 1600 chan->state = BT_CLOSED; 1601 1602 break; 1603 default: 1604 sk->sk_state = BT_CLOSED; 1605 chan->state = BT_CLOSED; 1606 1607 sk->sk_err = err; 1608 1609 if (parent) { 1610 bt_accept_unlink(sk); 1611 parent->sk_data_ready(parent); 1612 } else { 1613 sk->sk_state_change(sk); 1614 } 1615 1616 break; 1617 } 1618 release_sock(sk); 1619 1620 /* Only zap after cleanup to avoid use after free race */ 1621 sock_set_flag(sk, SOCK_ZAPPED); 1622 1623 } 1624 1625 static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, 1626 int err) 1627 { 1628 struct sock *sk = chan->data; 1629 1630 sk->sk_state = state; 1631 1632 if (err) 1633 sk->sk_err = err; 1634 } 1635 1636 static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, 1637 unsigned long hdr_len, 1638 unsigned long len, int nb) 1639 { 1640 struct sock *sk = chan->data; 1641 struct sk_buff *skb; 1642 int err; 1643 1644 l2cap_chan_unlock(chan); 1645 skb = bt_skb_send_alloc(sk, hdr_len + len, nb, &err); 1646 l2cap_chan_lock(chan); 1647 1648 if (!skb) 1649 return ERR_PTR(err); 1650 1651 /* Channel lock is released before requesting new skb and then 1652 * reacquired thus we need to recheck channel state. 1653 */ 1654 if (chan->state != BT_CONNECTED) { 1655 kfree_skb(skb); 1656 return ERR_PTR(-ENOTCONN); 1657 } 1658 1659 skb->priority = sk->sk_priority; 1660 1661 bt_cb(skb)->l2cap.chan = chan; 1662 1663 return skb; 1664 } 1665 1666 static void l2cap_sock_ready_cb(struct l2cap_chan *chan) 1667 { 1668 struct sock *sk = chan->data; 1669 struct sock *parent; 1670 1671 lock_sock(sk); 1672 1673 parent = bt_sk(sk)->parent; 1674 1675 BT_DBG("sk %p, parent %p", sk, parent); 1676 1677 sk->sk_state = BT_CONNECTED; 1678 sk->sk_state_change(sk); 1679 1680 if (parent) 1681 parent->sk_data_ready(parent); 1682 1683 release_sock(sk); 1684 } 1685 1686 static void l2cap_sock_defer_cb(struct l2cap_chan *chan) 1687 { 1688 struct sock *parent, *sk = chan->data; 1689 1690 lock_sock(sk); 1691 1692 parent = bt_sk(sk)->parent; 1693 if (parent) 1694 parent->sk_data_ready(parent); 1695 1696 release_sock(sk); 1697 } 1698 1699 static void l2cap_sock_resume_cb(struct l2cap_chan *chan) 1700 { 1701 struct sock *sk = chan->data; 1702 1703 if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { 1704 sk->sk_state = BT_CONNECTED; 1705 chan->state = BT_CONNECTED; 1706 } 1707 1708 clear_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1709 sk->sk_state_change(sk); 1710 } 1711 1712 static void l2cap_sock_set_shutdown_cb(struct l2cap_chan *chan) 1713 { 1714 struct sock *sk = chan->data; 1715 1716 lock_sock(sk); 1717 sk->sk_shutdown = SHUTDOWN_MASK; 1718 release_sock(sk); 1719 } 1720 1721 static long l2cap_sock_get_sndtimeo_cb(struct l2cap_chan *chan) 1722 { 1723 struct sock *sk = chan->data; 1724 1725 return sk->sk_sndtimeo; 1726 } 1727 1728 static struct pid *l2cap_sock_get_peer_pid_cb(struct l2cap_chan *chan) 1729 { 1730 struct sock *sk = chan->data; 1731 1732 return sk->sk_peer_pid; 1733 } 1734 1735 static void l2cap_sock_suspend_cb(struct l2cap_chan *chan) 1736 { 1737 struct sock *sk = chan->data; 1738 1739 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags); 1740 sk->sk_state_change(sk); 1741 } 1742 1743 static int l2cap_sock_filter(struct l2cap_chan *chan, struct sk_buff *skb) 1744 { 1745 struct sock *sk = chan->data; 1746 1747 switch (chan->mode) { 1748 case L2CAP_MODE_ERTM: 1749 case L2CAP_MODE_STREAMING: 1750 return sk_filter(sk, skb); 1751 } 1752 1753 return 0; 1754 } 1755 1756 static const struct l2cap_ops l2cap_chan_ops = { 1757 .name = "L2CAP Socket Interface", 1758 .new_connection = l2cap_sock_new_connection_cb, 1759 .recv = l2cap_sock_recv_cb, 1760 .close = l2cap_sock_close_cb, 1761 .teardown = l2cap_sock_teardown_cb, 1762 .state_change = l2cap_sock_state_change_cb, 1763 .ready = l2cap_sock_ready_cb, 1764 .defer = l2cap_sock_defer_cb, 1765 .resume = l2cap_sock_resume_cb, 1766 .suspend = l2cap_sock_suspend_cb, 1767 .set_shutdown = l2cap_sock_set_shutdown_cb, 1768 .get_sndtimeo = l2cap_sock_get_sndtimeo_cb, 1769 .get_peer_pid = l2cap_sock_get_peer_pid_cb, 1770 .alloc_skb = l2cap_sock_alloc_skb_cb, 1771 .filter = l2cap_sock_filter, 1772 }; 1773 1774 static void l2cap_sock_destruct(struct sock *sk) 1775 { 1776 struct l2cap_rx_busy *rx_busy, *next; 1777 1778 BT_DBG("sk %p", sk); 1779 1780 if (l2cap_pi(sk)->chan) { 1781 l2cap_pi(sk)->chan->data = NULL; 1782 l2cap_chan_put(l2cap_pi(sk)->chan); 1783 } 1784 1785 list_for_each_entry_safe(rx_busy, next, &l2cap_pi(sk)->rx_busy, list) { 1786 kfree_skb(rx_busy->skb); 1787 list_del(&rx_busy->list); 1788 kfree(rx_busy); 1789 } 1790 1791 skb_queue_purge(&sk->sk_receive_queue); 1792 skb_queue_purge(&sk->sk_write_queue); 1793 } 1794 1795 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name, 1796 int *msg_namelen) 1797 { 1798 DECLARE_SOCKADDR(struct sockaddr_l2 *, la, msg_name); 1799 1800 memset(la, 0, sizeof(struct sockaddr_l2)); 1801 la->l2_family = AF_BLUETOOTH; 1802 la->l2_psm = bt_cb(skb)->l2cap.psm; 1803 bacpy(&la->l2_bdaddr, &bt_cb(skb)->l2cap.bdaddr); 1804 1805 *msg_namelen = sizeof(struct sockaddr_l2); 1806 } 1807 1808 static void l2cap_sock_init(struct sock *sk, struct sock *parent) 1809 { 1810 struct l2cap_chan *chan = l2cap_pi(sk)->chan; 1811 1812 BT_DBG("sk %p", sk); 1813 1814 if (parent) { 1815 struct l2cap_chan *pchan = l2cap_pi(parent)->chan; 1816 1817 sk->sk_type = parent->sk_type; 1818 bt_sk(sk)->flags = bt_sk(parent)->flags; 1819 1820 chan->chan_type = pchan->chan_type; 1821 chan->imtu = pchan->imtu; 1822 chan->omtu = pchan->omtu; 1823 chan->conf_state = pchan->conf_state; 1824 chan->mode = pchan->mode; 1825 chan->fcs = pchan->fcs; 1826 chan->max_tx = pchan->max_tx; 1827 chan->tx_win = pchan->tx_win; 1828 chan->tx_win_max = pchan->tx_win_max; 1829 chan->sec_level = pchan->sec_level; 1830 chan->flags = pchan->flags; 1831 chan->tx_credits = pchan->tx_credits; 1832 chan->rx_credits = pchan->rx_credits; 1833 1834 if (chan->chan_type == L2CAP_CHAN_FIXED) { 1835 chan->scid = pchan->scid; 1836 chan->dcid = pchan->scid; 1837 } 1838 1839 security_sk_clone(parent, sk); 1840 } else { 1841 switch (sk->sk_type) { 1842 case SOCK_RAW: 1843 chan->chan_type = L2CAP_CHAN_RAW; 1844 break; 1845 case SOCK_DGRAM: 1846 chan->chan_type = L2CAP_CHAN_CONN_LESS; 1847 bt_sk(sk)->skb_msg_name = l2cap_skb_msg_name; 1848 break; 1849 case SOCK_SEQPACKET: 1850 case SOCK_STREAM: 1851 chan->chan_type = L2CAP_CHAN_CONN_ORIENTED; 1852 break; 1853 } 1854 1855 chan->imtu = L2CAP_DEFAULT_MTU; 1856 chan->omtu = 0; 1857 if (!disable_ertm && sk->sk_type == SOCK_STREAM) { 1858 chan->mode = L2CAP_MODE_ERTM; 1859 set_bit(CONF_STATE2_DEVICE, &chan->conf_state); 1860 } else { 1861 chan->mode = L2CAP_MODE_BASIC; 1862 } 1863 1864 l2cap_chan_set_defaults(chan); 1865 } 1866 1867 /* Default config options */ 1868 chan->flush_to = L2CAP_DEFAULT_FLUSH_TO; 1869 1870 chan->data = sk; 1871 chan->ops = &l2cap_chan_ops; 1872 1873 l2cap_publish_rx_avail(chan); 1874 } 1875 1876 static struct proto l2cap_proto = { 1877 .name = "L2CAP", 1878 .owner = THIS_MODULE, 1879 .obj_size = sizeof(struct l2cap_pinfo) 1880 }; 1881 1882 static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 1883 int proto, gfp_t prio, int kern) 1884 { 1885 struct sock *sk; 1886 struct l2cap_chan *chan; 1887 1888 sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern); 1889 if (!sk) 1890 return NULL; 1891 1892 sk->sk_destruct = l2cap_sock_destruct; 1893 sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT; 1894 1895 INIT_LIST_HEAD(&l2cap_pi(sk)->rx_busy); 1896 1897 chan = l2cap_chan_create(); 1898 if (!chan) { 1899 sk_free(sk); 1900 return NULL; 1901 } 1902 1903 l2cap_chan_hold(chan); 1904 1905 l2cap_pi(sk)->chan = chan; 1906 1907 return sk; 1908 } 1909 1910 static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol, 1911 int kern) 1912 { 1913 struct sock *sk; 1914 1915 BT_DBG("sock %p", sock); 1916 1917 sock->state = SS_UNCONNECTED; 1918 1919 if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM && 1920 sock->type != SOCK_DGRAM && sock->type != SOCK_RAW) 1921 return -ESOCKTNOSUPPORT; 1922 1923 if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW)) 1924 return -EPERM; 1925 1926 sock->ops = &l2cap_sock_ops; 1927 1928 sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC, kern); 1929 if (!sk) 1930 return -ENOMEM; 1931 1932 l2cap_sock_init(sk, NULL); 1933 bt_sock_link(&l2cap_sk_list, sk); 1934 return 0; 1935 } 1936 1937 static const struct proto_ops l2cap_sock_ops = { 1938 .family = PF_BLUETOOTH, 1939 .owner = THIS_MODULE, 1940 .release = l2cap_sock_release, 1941 .bind = l2cap_sock_bind, 1942 .connect = l2cap_sock_connect, 1943 .listen = l2cap_sock_listen, 1944 .accept = l2cap_sock_accept, 1945 .getname = l2cap_sock_getname, 1946 .sendmsg = l2cap_sock_sendmsg, 1947 .recvmsg = l2cap_sock_recvmsg, 1948 .poll = bt_sock_poll, 1949 .ioctl = bt_sock_ioctl, 1950 .gettstamp = sock_gettstamp, 1951 .mmap = sock_no_mmap, 1952 .socketpair = sock_no_socketpair, 1953 .shutdown = l2cap_sock_shutdown, 1954 .setsockopt = l2cap_sock_setsockopt, 1955 .getsockopt = l2cap_sock_getsockopt 1956 }; 1957 1958 static const struct net_proto_family l2cap_sock_family_ops = { 1959 .family = PF_BLUETOOTH, 1960 .owner = THIS_MODULE, 1961 .create = l2cap_sock_create, 1962 }; 1963 1964 int __init l2cap_init_sockets(void) 1965 { 1966 int err; 1967 1968 BUILD_BUG_ON(sizeof(struct sockaddr_l2) > sizeof(struct sockaddr)); 1969 1970 err = proto_register(&l2cap_proto, 0); 1971 if (err < 0) 1972 return err; 1973 1974 err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops); 1975 if (err < 0) { 1976 BT_ERR("L2CAP socket registration failed"); 1977 goto error; 1978 } 1979 1980 err = bt_procfs_init(&init_net, "l2cap", &l2cap_sk_list, 1981 NULL); 1982 if (err < 0) { 1983 BT_ERR("Failed to create L2CAP proc file"); 1984 bt_sock_unregister(BTPROTO_L2CAP); 1985 goto error; 1986 } 1987 1988 BT_INFO("L2CAP socket layer initialized"); 1989 1990 return 0; 1991 1992 error: 1993 proto_unregister(&l2cap_proto); 1994 return err; 1995 } 1996 1997 void l2cap_cleanup_sockets(void) 1998 { 1999 bt_procfs_cleanup(&init_net, "l2cap"); 2000 bt_sock_unregister(BTPROTO_L2CAP); 2001 proto_unregister(&l2cap_proto); 2002 } 2003